The New Security Order

by Dan Dunkel - President, New Era Associates

Published in SDM

The 21st Century security officer is nothing like this industry has ever seen before. The new security order of things runs in real time and leverages technologies much faster than prior generations, placing new demands upon security executives. They must keep pace with cyber crime; corporate espionage and global competition at levels unimagined a few short years ago. The “good old days” of 10-year product cycles and jobs dominated by physical security-type thinking are gone. The new security executive is technically astute, business focused, partner aware, and more visible in the executive ranks.

If the changing role of and relationship with the security executive were not enough, a new cloud computing model is emerging that will have a profound impact on the future of security integrator business models. The traditional security landscape is shifting under the weight of major trends as the industry reinvents itself globally. To some legacy-based businesses these changes are too rapid, and they cannot align with the new security order. To others that adapt quickly with innovation, unique opportunities are expanding in tandem with the emerging responsibilities of the security executive.

The new Security Order has arrived.

Today’s security professionals must be more aware than ever before of the global trends occurring around them. From a purely technical perspective, the pace of advancement and cultural change has altered the security profession more than any other industry, with the possible exception of print publishing. The publishing industry evolved from newsprint to digital media so quickly that the basic ability to find a workable financial model is in a constant state of flux.

The technically astute cloud pioneers (Google, Amazon.com, e-Bay) have e-commerce figured out and the model will evolve much faster than most people realize. However, the profound technical advances we are experiencing today are a double-edged sword of productivity and cyber crime. The FBI cites cyber crime as its third priority (following Weapons of Mass Destruction and domestic terrorism). This global problem has evolved well beyond the resources and operational scale of the IT department alone to address it. As cyber crime now exceeds the one trillion dollar mark on an annual basis (2009 McAfee Unsecured Economies Report), this issue drives the career direction of the security executive. Cyber crime is a security responsibility that extends beyond integrated physical and IT systems. Today, the security executive recognizes cyber crime as crime, and it sits squarely within their corporate domain.

The cyber crime problem must be understood from its roots to see its current and future impact from a product and services perspective.

Gulf War I: 20 Years In Cyber Time

Gulf War I had a profound impact on the nature of modern warfare and cyber crime.

In 1990 the United States military made short order of the Iraq army, but a much larger issue was at play. American Generals Norman Schwarzkopf and Colin Powell provided video evidence daily of our success in the form of laser-guided weapons destroying buildings and vehicles with precision strikes never before seen in military history. This was a source of pride for the United States but caused considerable concern to our adversaries, specifically Russia and China. These countries created military battalions proficient in the art of cyber war to disrupt and destroy our technical capabilities by targeting poorly secured operating systems and communication networks.

For the last 20 years these former and current cyber warriors became active in cyber war, cyber espionage and criminal syndicates operating internationally. This global world of cyber war and cyber crime to a large extent has merged forces. As a result, today the United States faces its most serious security challenge of the 21st Century. Former Cyber Czar and Presidential Counterterrorism advisor, Richard Clarke, at the 2010 RSA Security conference said, “Today there is little difference between State sponsors and criminal gangs in regards to corporate (IP theft) and international espionage (cyber warfare).”

Globalization & Outsourcing: A Security Time Capsule

By any definition, globalization — our network of communications and trade — has impacted the world around us in many ways and will continue to in terms of technology, geopolitics and the issues of war and peace. While the topic is complex, our focus is the technical foundation upon which globalization rests. It is ironic that the technologies that form the basic fabric of the Internet are American innovations, and simultaneously, these information technologies created the “soft underbelly” of vulnerabilities that enables cyber crime and espionage to advance to unprecedented levels.

American ingenuity drives the backbone of globalization and as such, our intellectual property is under constant attack from foreign governments, cyber criminal syndicates, business competitors, and unscrupulous individuals.

A recent report published by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) titled, The Financial Management of Cyber Risk, cites a cyber policy report released by the Obama Administration (May 2009) stating U.S. businesses lost one trillion dollars worth of intellectual property between 2008 and 2009. Our nation’s global competitiveness, job market and national security are all at serious risk from this continuing threat.

A close cousin of the globalization trend can be seen in the rapid growth of outsourcing. Two critical factors — one technical and one economic — combined over a 12-month period (2000 to 2001) to accelerate the growth of outsourcing. The technical issue was the millennium bug, the infamous Y2K event that focused global business on the problem of digital documentation and data storage related to the abbreviating of a four-digit year to two digits.

Major businesses quickly contracted for services to provide the fixes required. This Y2K supply-and-demand imbalance literally opened the door to the global outsourcing industry, specifically in India. This, in turn, expanded the market for optical networking as global demand skyrocketed.

On the heels of this unprecedented fiber explosion, a global and equally unprecedented “tech wreck” occurred, as the technology-heavy NASDAQ stock exchange lost trillions of dollars in stock valuations. The silver lining was that optical networks were now deploying at pennies on the dollar, wiring the world for the next technology cycle. The combination of globalization and outsourcing provided tremendous business advantages, but also accelerated cyber warfare, cyber crime and corporate espionage.

These cyber threats to national security and global competitiveness have combined into new responsibilities for corporate boards and executive staffs, which in turn have created new visibility for security executives, who place new demands on their security product manufacturers, distributors and integrators.

The Coming Clouds Have A Silver Lining

Some would argue that “cloud computing” is an old concept (timesharing) with a new name. Perhaps, and many of us are already using the cloud model every day when we check our e-mail on Yahoo or similar services. The fact is that as technology gets commoditized and less expensive, it deploys widely into new forms. Hardware, software and services (including personnel) are not going away, but they may not be as large a part of your businesses operating environment in the future.

The cloud model takes many forms and can be a publicly shared resource or a private cloud internal to one company. You can utilize cloud computing for all your business needs and pay as a monthly charge using a Service Level Agreement (SLA) to determine rates. Firms can also offload some general services (e-mail), while keeping proprietary product information in house. This is known as a hybrid model.

Lastly, companies can choose to ignore it altogether and fund an internal IT department. Cloud computing is basically a “rent versus own” decision. It is a cost-saving model for businesses of all sizes, and will become a security solution for many small and medium-sized businesses that do not have internal IT staffs, but nonetheless will be expected to secure information assets in supply-chain scenarios.

Wikipedia is a great source of cloud computing information and defines the model as Internet-based computing, whereby shared resources, software and information are provided to computers and devices on-demand, like a public utility. The term cloud is a metaphor for the Internet, based on the cloud drawings used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams.

Gartner Group defines cloud computing as a style of computing where massively scalable IT-related capabilities are provided “as a service” using Internet technologies to multiple external customers.

Gartner predicts that the impact of cloud computing on IT vendors will be huge. As companies utilize cloud computing to provide IT services they will be placing additional emphasis (and money) on the need to secure their business operations and brand reputations in an era of increasingly sophisticated cyber crime.

Total Security Assessment Services

Risk assessment and business continuity can be viewed as one in the same, conceptually. If businesses are not protected from the serious risks to their operations, they will not continue as viable entities. A new model needs to evolve that counters real-time and never-before-seen attack scenarios. On top of traditional risk concerns impacting employees, products, markets, and finances a business now must be on guard for deliberate cyber attacks and corporate espionage, internally and externally, in the form of intellectual property theft.

Our nation’s intelligence agencies see emerging security and technology threats many years ahead of the global commercial markets. Current Director of National Intelligence, Admiral Dennis Blair, recently led a discussion on cyber security, stating: “Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey. New cyber security approaches must continually be developed, tested and implemented to respond to new threat technologies and strategies.”

There is an opportunity for innovative security integrators to provide new services around the model of a total security assessment that embraces physical, logical and cyber security best practices. Conducting a through audit of a company’s business operations (and its supply chain) with an eye towards protections against the latest criminal practices (physical and cyber crime) will require consistent countermeasure deployments and ongoing employee and partner education.

Continuous vetting suppliers, third-party partners and internal employees to protect intellectual property will be a continuing concern for American business.

By examining a customer’s business model to identify security gaps and by comparing the attack models being used against legitimate businesses, the integrator takes on the role of a key security advisor. This service will be a high-margin offering for integrators. Smart integrators will be hiring cyber talent out of universities, paying for information assurance (IA) certifications and online programs for employees, and creating educational content.

Cyber crime and prevention will be a long-term business issue. Integrators combining cyber expertise and physical/logical deployment knowledge will demand significant margins. The convergence of physical/logical security and cyber crime offers integrators the opportunity to position their business model for the new security order.

Meeting The New Challenge

John McClurg, vice president of Global Security & CSO, Honeywell International, is a former supervisory special agent with the FBI, and served in the National Infrastructure Protection Center at the Department of Homeland Security. He believes the physical and cyber worlds are “inextricably interconnected.” McClurg’s advice: “Leverage the convergence of both security products and the expertise of the people using them into a holistic approach by which to confront the cyber and physical threats of the 21st Century.”

Cyber crime is fundamentally altering the job of senior security executives; it impacts the reputation, business operations and economic well-being of an organization. The new security order is changing the playing field for our profession, as national security and global economic interests are simultaneously being attacked by sophisticated adversaries. Our network of security manufacturers, distributors and integrators must step up quickly to this new global challenge and recognize the change occurring in the executive suite.

As the business operates in an environment of new threats, old sales tactics, product cycles and relationships will not work. Partners are expected to understand CSO/CISO issues and bring value to problem-solving with a strong return on investment.

The new security order involves a cultural shift towards protecting the global business and its trusted supply-chain relationships through continuous security risk assessments. Faster technology cycles allow innovative criminals to create new threats, but the ability to deploy countermeasures quickly will be the ultimate value that security executives will bring to their organizations. A new security order has arrived, and with it, opportunities to the security channel to assist security executives in their mission.

Clouds Promise to Eliminate Expensive Server & Storage Platforms

At Intransa, vice president of marketing Jeff Whitney knows that IP technology is an enabler of both the problem and the solution to cyber crime, and because of that, dealers and integrators will be able to benefit from the revenue-generating opportunities it presents.

Whitney comments: Cloud computing will enable new revenue streams for dealers and integrators, particularly in remote monitoring of video surveillance and access control. Cloud technology, embryonic today, promises to eliminate the need for complex and expensive server and storage platforms just as IP is pushing aside CCTV.

Already, individual IP cameras can be monitored remotely within a facility, and external monitoring is limited only by the bandwidth of Internet connections. Appliance solutions are witnessing rapid adoption as the forerunner of this technology, eliminating complicated and expensive commodity IT hardware while delivering the benefits of open IP.

As cloud technology improves over the next decade, it will create significant new revenue for the dealers and integrators who get ahead of the curve and gain IP and appliance experience today.

Meanwhile, increasing cyber crime is a wakeup call for security professionals. IP technology is an enabler of both the problem and the solution to cyber crime, and the dealers and integrators who embrace it by adopting simple, proven appliances will be positioned to respond. Those remaining focused on securing only the physical world — leaving the cyber world to IT — ignore the opportunities that IP and appliance solutions offer to leverage both as revenue enhancers.

Integrators Can Adapt

At Panasonic System Networks Company of America, president Bill Taylor sees that the business model for integrators is in transition, but that corporations already view both cyber crime and physical crime as different heads of the same monster.

Taylor comments: As technologies migrate to systems that are more IT-driven, dealers and integrators will increasingly have to acquire IT expertise — either through training or by hiring new personnel — in order to stay competitive. As less physical installation and maintenance of systems is required, whether because of Web-hosted systems or use of existing network infrastructure, dealers and integrators can redefine their role to prioritize consultancy.

To a corporation, both cyber crime and physical crime are the same thing — crime; and security integrators will do well by expanding their business model to address both.

The existing business model for security integrators is in transition, but technology changes are also affecting every facet of the industry, including suppliers and end-users. The most sensible strategy is to analyze and respond to customer needs. Integrators can adapt by providing additional services and possibly a broader product line. End-user customers are not looking to move the security function to the IT department. They will continue to promote and maximize the value of security in their enterprises, and they will be looking to integrators and dealers for answers. How can video be used broadly to benefit the enterprise? Can security technologies provide operational metrics that are useful to management? How can integrators fulfill some part of security’s broadly defined function in a time when more services are being outsourced? How can cloud computing enable maintenance and monitoring to be done remotely (and more cost-effectively)? The ability to answer these questions will help determine future integrator success.

An IT Integrator’s Perspective

Technology integrator Alexander Open Systems, based in Overland Park, Kansas, is a network infrastructure integrator that entered the physical security market about three years ago as a Cisco partner. The company’s total revenue is more than $100 million annually, with physical security accounting for no more than two percent, says chief operating officer Grant Cynor, adding that it is a growing line of business.

“We think the overall cloud concept is something that’s definitely going to happen. My opinion is it looks a lot like the Internet stuff going on in the late 1990s, where everything was going to be managed by other people – everybody’s rushing to it.”

Cynor says that among Alexander Open Systems’ physical security clients, none are “in the cloud yet.”

“Ultimately, yes, they will be there. It’s easier for a cloud vendor to add on several terabytes of storage as a school building expands and adds additional cameras and video feeds. It makes a good case for a cloud in that instance,” Cynor says.

Cynor explains that it wasn’t the cloud computing concept that drove Alexander Open Systems to the physical security space, however. “We buy into the end-to-end networking concept that Cisco lays down — one throat to choke. The Cisco [physical security system] can interface with the telco and all the Cisco infrastructure along the way. Ultimately you’re going to have the storage end of it, which remains to be seen if that’s going to be Cisco,” he relates.

Alexander Open Systems has a small recurring revenue model based on the monitoring of firewalls and security devices on its clients’ networks, which are all IP-based infrastructure. “We do that for security devices and network devices — servers, routers, switches, even if you had a refrigerator on that network, we monitor those things,” he says. “We use our partnerships with cloud companies to enable the monitoring. We have visibility into those cloud companies, meaning statistics, so we can consult with our customers.”

Ultimately, Cynor says, this will include some kind of video monitoring in the future.

Unlocking the Power of Cloud Data

Axis Communications Inc. general manager Fredrik Nilsson believes that through hosted solutions, integrators will benefit by being unburdened from the cumbersome model of selling proprietary solutions. The cloud model, Nilsson thinks, will enable myriad new business opportunities enabled by the power of cloud-based data.

Nilsson comments: Today’s dealer and integrator must modify solution offerings for end-users that fit the hosted solution profile or risk losing business opportunities. Traditional business of selling site-by-site proprietary solutions will be replaced in many market categories by service-oriented business where end-users purchase the ability to use software and then access critical security information from a secure online portal.

Since manufacturers provide security-software-as-a-service platforms, the integrator will enjoy relief from upgrading individual end-user sites, leaving more time to focus on new business. This cloud computing model also helps resellers more easily obtain financing as gross RMR margins are often tripled when compared to one-time sales of conventional security hardware and maintenance.

Additionally, cloud-based solutions like hosted video will involve end users in the monitoring process as mobile devices enable anytime, anywhere viewing for security and business intelligence purposes. Guard service companies can also salvage revenue opportunities by providing a smarter, scalable answer to those end-users forced to reduce manpower costs.

Finally, there’ll be a vast amount of new industry-specific integrator services as the cloud enables a virtualized search of key security and video “metadata.” Unlocking the power of cloud data will present innovative links between physical and logical security policies, as well as business operations.

Dan Dunkel brings more than 22 years of sales, management, and executive experience in the IT industry to a consulting practice, New Era Associates, focused on the emerging field of security convergence. He is also co-author of Physical & Logical Security Convergence, published by Syngress Publishing in 2007.